August 7, 2024 at 09:28AM
Cybercriminals can manipulate Microsoft Outlook’s anti-phishing measure by using CSS to hide the First Contact Safety Tip, making it appear invisible to users, except in the email preview pane. This tactic also allows cybercriminals to add a seemingly legitimate note to phishing emails, posing a security threat despite some formatting differences. Microsoft plans to review this issue for future product improvements.
After reviewing the meeting notes, it is clear that cybercriminals can bypass Microsoft’s anti-phishing measures in Outlook by using CSS tweaks to hide the First Contact Safety Tip banner. This involves changing the banner’s background and font colors to white within an HTML-crafted email, making it effectively invisible to the end user. However, there are some limitations, such as the message still being visible in the email preview pane and potential differences in formatting for more attentive Outlook users.
Additionally, this method can be used to add a seemingly legitimate note, such as indicating that a message was encrypted or signed, providing an added layer of perceived legitimacy to potential phishing emails.
The researchers, William Moody and Wolfgang Ettlinger, informed Microsoft about their findings, but Microsoft has indicated that they do not plan to address this issue in the short term, stating that it mainly applies to phishing attacks and does not meet their immediate servicing bar. However, Microsoft has marked the finding for future review as an opportunity to improve their products.